challenger

OAuth 2.0-based authentication service that validates user can receive messages at a certain address
Log | Files | Refs | Submodules | README | LICENSE

commit 639d0ff3de76125cd55f04e2851a7e1e86d93de1
parent b7c30ba978454a5aca87b004acb764db8d0d5707
Author: Christian Grothoff <grothoff@gnunet.org>
Date:   Mon, 13 Jul 2026 20:40:56 +0200

fix cross-client validation

Diffstat:
Msrc/challenger/challenger-httpd_token.c | 12+++++++++++-
Msrc/challengerdb/validation_get_pkce.c | 5++++-
Msrc/include/challenger-database/validation_get_pkce.h | 2++
3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/challenger/challenger-httpd_token.c b/src/challenger/challenger-httpd_token.c @@ -414,9 +414,19 @@ CH_handler_token (struct CH_HandlerContext *hc, enum GNUNET_DB_QueryStatus qs; char *code; enum CHALLENGER_CM code_challenge_method_enum; - + unsigned long long code_client_id; + char code_dummy; + + /* bc->client_id was already validated as a number in the client-auth + block above; re-parse it here (it is out of scope) so we can bind the + authorization code to the authenticated client. */ + GNUNET_assert (1 == sscanf (bc->client_id, + "%llu%c", + &code_client_id, + &code_dummy)); qs = CHALLENGERDB_validation_get_pkce (CH_context, &bc->nonce, + (uint64_t) code_client_id, &client_secret, &address, &client_scope, diff --git a/src/challengerdb/validation_get_pkce.c b/src/challengerdb/validation_get_pkce.c @@ -30,6 +30,7 @@ enum GNUNET_DB_QueryStatus CHALLENGERDB_validation_get_pkce ( struct CHALLENGERDB_PostgresContext *ctx, const struct CHALLENGER_ValidationNonceP *nonce, + uint64_t client_id, char **client_secret, json_t **address, char **client_scope, @@ -43,6 +44,7 @@ CHALLENGERDB_validation_get_pkce ( struct GNUNET_PQ_QueryParam params[] = { GNUNET_PQ_query_param_auto_from_type (nonce), GNUNET_PQ_query_param_absolute_time (&now), + GNUNET_PQ_query_param_uint64 (&client_id), GNUNET_PQ_query_param_end }; struct GNUNET_PQ_ResultSpec rs[] = { @@ -88,7 +90,8 @@ CHALLENGERDB_validation_get_pkce ( " JOIN clients " " USING (client_serial_id)" " WHERE nonce=$1" - " AND expiration_time > $2"); + " AND expiration_time > $2" + " AND client_serial_id=$3"); return GNUNET_PQ_eval_prepared_singleton_select (ctx->conn, "validation_get_pkce", params, diff --git a/src/include/challenger-database/validation_get_pkce.h b/src/include/challenger-database/validation_get_pkce.h @@ -35,6 +35,7 @@ * * @param cls * @param nonce unique nonce to use to identify the validation + * @param client_id serial id of the authenticated client redeeming the code * @param[out] client_secret set to secret of client (for client that setup the challenge) * @param[out] address set to client-provided address * @param[out] client_scope set to OAuth2 scope @@ -51,6 +52,7 @@ enum GNUNET_DB_QueryStatus CHALLENGERDB_validation_get_pkce ( struct CHALLENGERDB_PostgresContext *ctx, const struct CHALLENGER_ValidationNonceP *nonce, + uint64_t client_id, char **client_secret, json_t **address, char **client_scope,